DNN (DotNetNuke) < 5.2.0 SearchResults.aspx XSS

This script is Copyright (C) 2009-2015 Tenable Network Security, Inc.

Synopsis :

The remote web server contains a ASP.NET application that is affected
by a cross-site scripting vulnerability.

Description :

The version of DNN installed on the remote host is affected by a
cross-site scripting vulnerability due to a failure to properly
sanitize user-supplied input to the 'Search' parameter of the
'SearchResults.aspx' script before using it to generate dynamic HTML
output. An unauthenticated, remote attacker can exploit this, via
specially crafted search terms, to execute arbitrary script code in a
user's browser session.

The installed version is also potentially affected by an information
disclosure vulnerability, although Nessus has not tested for this.

See also :


Solution :

Upgrade to DNN version 5.2.0 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
CVSS Temporal Score : 3.6
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 42979 (dotnetnuke_search_page_xss.nasl)

Bugtraq ID: 37139

CVE ID: CVE-2009-4110